Joomla one click update for plugin (update key needed)

[Ruud van Lent]

Hi,

I am looking at what is the best way to have the Joomla One click update work for an update file to a plugin that is for registered users only.
The tool providing the file has the possibility to generate a download ID that can / needs to be inserted as part of the update query.

In a component it is possible to create an input field for this download key and a button that when clicked will insert the key into the table,
but I was wondering if this is possible for plugins as well?

What is a best-practise for this?

[Walt Sorensen]

Generally, it seems most developers are passing a key as a URLparam in the update_url.

This way they can tell all users about the update, but only those with a valid key can get the update.
(I can only comment on what I see being done, I can't give you specifics on implementation)

[shumisha]

Hi Ruud,

This is certainly possibly but is the hard way. Joomla has an API for that actually. Your plugin needs to implement:

public function onInstallerBeforePackageDownload(&$url, &$headers)

This event is triggered by Joomla before starting the download of an extension (when using the one-click updater). You are provided with the URL and the headers Joomla will use to perform the download, so you can add whatever information you want to them.

You can have a field in your plugin params where the user enters their download_id, and then add it to the URL when the download event happens. Something like this probably:

$downloadId = $this->params->get('update_credentials_download_id', '');

// bind credentials to request by appending it to the download url
if (!empty($downloadId))
{
   $separator = strpos($url, '?') !== false ? '&' : '?';
   $url .= $separator . 'dlid=' . $downloadId;
}
return true;

Rgds

[Ruud van Lent]

Hi @shumisha,
this is exactly what I was looking for :)
Thanks for pointing me in the right direction!
regards,
Ruud.

[ced1870]

Hi
we agree that with this method, anyone who has the key can update for free your products on any website ?
you don't care about a domain validation ?
CEd

[shumisha]

Hi

Whether you check the domain or not is not related to the method to attach a download id. It's something you have to do on the server granting access to the download, on top of checking whether the id is valid.

Using the Joomla API, you can pass along the request any information you want, so the current domain can also be added, or any other information.

Of course, this is open source software, so any user can just remove that check.

Rgds

[shumisha]

And of course, reliably checking the domain from the update download server is not really possible. Indications coming from the request can be spoofed, and you can't get the domain from the IP address, so basically you have to trust your users ;)

It's all about how far you want to go!

[Ruud van Lent]

Agree, alternative is that One click update notifies of updated version but the update]  doesn't work. You should then login to your component/plugins provider website and download (if you have a valid subscription) the extension. then you install in manually. Even then there is still the possibility of your plugin showing up on some other site. Either the file is distributed or the subscriber shares his download information.

For every protection you build in, there is always a work around. Using the download ID you can monitor what is the website that is the 'referrer' and possibly (if your subscription software allows) you can limit the number of downloads of a specific version for a specific key.

[Ole Ottosen (ot2sen)]

Just a note on good practice to make sure people reading this thread not getting "good ideas" (and obviously how to not get listed on JED) is that domain/installation use limitation is not allowed.

See JED Entries Checklist C2.1
http://extensions.joomla.org/support/knowledgebase/item/jed-entries-checklists#licensechecklist

On Tue, May 10, 2016 at 9:26 PM, Ruud van Lent <xce...@gmail.com> wrote:

Agree, alternative is that One click update notifies of updated version but the update]  doesn't work. You should then login to your component/plugins provider website and download (if you have a valid subscription) the extension. then you install in manually. Even then there is still the possibility of your plugin showing up on some other site. Either the file is distributed or the subscriber shares his download information.

For every protection you build in, there is always a work around. Using the download ID you can monitor what is the website that is the 'referrer' and possibly (if your subscription software allows) you can limit the number of downloads of a specific version for a specific key.

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.

[Webmaster, Boldt Webservice]

May I hook up here?
> …You should then login to your component/plugins provider website and

> download (if you have a valid subscription) the extension. then you
> install in manually. Even then there is still the possibility of your

> plugin showing up on some other site. Either the file is distributed…
Did I understand licensing correct? If I write an extension to Joomla,
then I have to set it under GPL2 or later? Then distributing is allowed
an wanted, therefore I can't protect it against distributing.

Romana

[Ruud van Lent]

With my (very) limited legal knowledge I think you are correct. I also think that if you don't use the JED you can do what you want, there are other ways to promote / sell your component. I prefer to stick to the JED as this is a trusted and go-to source for good extensions.

I have no problem with it, if it wasn't for this 'license' Joomla (or any other Open Source project) wouldn't be where it is now.

[rant mode on]
Although I have no problem with it for my own free component which I give away in exchange for an email address (not to spam but to follow up / connect etc.), I sometimes get 'frustrated' that roughly 20% actually comes from legit email addresses. 80% of the downloads are via fake email addresses (the ones you can use for one day) or via distribution / installation om other domains. Amongst the downloaders of my plugin there are a lot of webdevelopers who download the plugin once, and install it for their customers... This is according to the GPL license so no problem with that, but for me as a developer it is rewarding to connect with the downloaders (read users), get feedback, see how and where my plugin is used... That is where I get the energy maintain the plugin... well at least 20% gives me that energy
[/rant mode off]

[ced1870]

to be clear my intention is not to limit anything. The purpose is to give the automatic update to the user.
As Rudd has said, the use can go on the website to login and download. Using a key + domain check according to informations entered in the member area on your website, you can make a check on your server and if correct, then you push the file to install automatically. Else the user must do it manually

[shumisha]

Hi,

There may be 2 things being mixed up here:

- distribution of the (GPL-licensed) plugin cannot be limited, which means that if someone got your plugin, regardless of how they got it, they can use it as they like, redistribute it to others, install it on their customer sites, even set up a paying download for it on their site, etc

- you can however restrict the one-click updater to only some domains, or to a number of installs, etc What you are limiting in that case is not the distribution of the software itself, but the usage of your download infrastructure and servers. 

Restricting the one-click updater access does not break the GPL (which would prevent you to get on the JED for instance), just like reserving access to the download are to paying members does not break it either.

Not only is this allowed by the GPL license, but highly encouraged (as mean to "sell" GPL software), in order to increase the production and uptake of open-source software (see: http://www.gnu.org/philosophy/selling.en.html).

Rgds

[ced1870]

I agree :)